Performance of Firewalls for Industrial Applications

The increased exposure of industrial control systems to cyber threats and attacks demands for the deployment of adequate security countermeasures. Specialised firewalls, able to recognise and inspect traffic concerning special-purpose communication protocols adopted in industrial environments, are one of the basic solutions that have started spreading on the market. This paper deals with the performance evaluation of two commercial firewalls designed for industrial applications. Our analysis is mainly based on the measurement of typical parameters that are relevant for the considered application scenario. A more conventional device has also been considered in the experimental campaign so as to provide a reference comparison with a well-assessed and general-purpose product. In particular, the paper focuses on the firewall packet inspection capabilities for the Modbus/TCP protocol.

Content

Author and article information

Contributors

Manuel Cheminod

Luca Durante

Marcello Maggiora

Adriano Valenzanoa

Claudio Zunino

Conference

Publication date: August 2016

Publication date (Print): August 2016

Pages: 42-52

Affiliations

[ ^a ]National Research Council of Italy – IEIIT

[ ^b ]Politecnico di Torino – IT Division

c.so Duca degli Abruzzi 24

I-10129 Torino, Italy

Article

DOI: 10.14236/ewic/ICS2016.6

SO-VID: 4d8035c4-c610-400a-9770-7a0cc5ecea27

License:

This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

Conference name: 4th International Symposium for ICS & SCADA Cyber Security Research 2016

Conference acronym: ICS-CSR

Conference number: 4

Conference location: Queen’s Belfast University, UK

Conference date: 23 - 25 August 2016

Conference sponsor: Electronic Workshops in Computing (eWiC)

Conference theme: Cyber Security Research

History

Product

1477-9358 BCS Learning & Development

Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2016.6

Self URI (journal page): https://ewic.bcs.org/

REFERENCES

Belden–Hirschmann 2016 Tofino Xenon security appliance ext-link-type="uri" xlink: href="https://www.e-catalog">https://www.e-catalog.beldensolutions.com/link/57078-24455-49853-411807/en/conf/0 Accessed 20 May 2016
G. Carvajal et al 2014 Evaluation of communication architectures for switched real-time ethernet IEEE Trans. on Computers 63 1 218 229
M. Cereia et al 2014 Latency evaluation of a firewall for industrial networks based on the tofino industrial security solution Proc. of the 19th IEEE Int. Conf. on Emerging Technology and Factory Automation (ETFA) 1 8
M. Cheminod et al 2013 Review of security issues in industrial networks IEEE Trans. Ind. Informat 9 1 277 293
Fortinet 2016 FortiGate/FortiWiFi® 60D Series ext-link-type="uri" xlink: href="https://www.fortinet.com/content/">https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_ FortiWiFi_60D_Series.pdf Accessed 20 May 2016
B. Hickman et al 2003 Benchmarking methodology for firewall performance IETF RFC 3511
iPerf 2016 iPerf - the network bandwidth measurement tool ext-link-type="uri" xlink: href="https://iperf.fr/">https://iperf.fr/ Accessed 20 May 2016
W. Knowles et al 2015 A survey of cyber security management in industrial control systems Int. Journal of Critical Infrastructure Protection 9 52 80
Modbus Organization 2012 Modbus Protocol Specification V1.1b3 ext-link-type="uri" xlink: href="http://www.modbus.org/specs.php">http://www.modbus.org/specs.php Accessed 20 May 2016
Moxa 2016 EDR-810 ext-link-type="uri" xlink: href="http://">http://www.moxa.com/product/EDR-810.htm">www.moxa.com/product/EDR-810.htm Accessed 20 May 2016
S. Raimbault 2016 libmodbus ext-link-type="uri" xlink: href="http://libmodbus.org/">http://libmodbus.org/ Accessed 20 May 2016
A. Sajjad et al 2015 A scalable and dynamic application-level secure communication framework for inter-cloud services Future Generation Computer Systems 48 19 27
T. Skybakmoen 2014 Next generation firewall comparative analysis security value map ext-link-type="uri" xlink: href="https://www.nsslabs.com/research-advisory/security-value-maps/2014/ngfw-svm-2014/">https://www.nsslabs.com/research-advisory/security-value-maps/2014/ngfw-svm-2014/ Accessed 20 May 2016
Wireshark Foundation 2016 Wireshark – Go deep ext-link-type="uri" xlink: href="http://www.wireshark.org/">http://www.wireshark.org/ Accessed 20 May 2016
E. Yildirim et al 2008 Which network measurement tool is right for you? A multidimensional comparison study Proc. of the 9th IEEE/ACM Int. Conf. on Grid Computing (GRID) 266 275

Comments

Comment on this article

[1] Belden–Hirschmann 2016 Tofino Xenon security appliance ext-link-type="uri" xlink: href="https://www.e-catalog">https://www.e-catalog.beldensolutions.com/link/57078-24455-49853-411807/en/conf/0 Accessed 20 May 2016

[2] G. Carvajal et al 2014 Evaluation of communication architectures for switched real-time ethernet IEEE Trans. on Computers 63 1 218 229

[3] M. Cereia et al 2014 Latency evaluation of a firewall for industrial networks based on the tofino industrial security solution Proc. of the 19th IEEE Int. Conf. on Emerging Technology and Factory Automation (ETFA) 1 8

[4] M. Cheminod et al 2013 Review of security issues in industrial networks IEEE Trans. Ind. Informat 9 1 277 293

[5] Fortinet 2016 FortiGate/FortiWiFi® 60D Series ext-link-type="uri" xlink: href="https://www.fortinet.com/content/">https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_ FortiWiFi_60D_Series.pdf Accessed 20 May 2016

[6] B. Hickman et al 2003 Benchmarking methodology for firewall performance IETF RFC 3511

[7] iPerf 2016 iPerf - the network bandwidth measurement tool ext-link-type="uri" xlink: href="https://iperf.fr/">https://iperf.fr/ Accessed 20 May 2016

[8] W. Knowles et al 2015 A survey of cyber security management in industrial control systems Int. Journal of Critical Infrastructure Protection 9 52 80

[9] Modbus Organization 2012 Modbus Protocol Specification V1.1b3 ext-link-type="uri" xlink: href="http://www.modbus.org/specs.php">http://www.modbus.org/specs.php Accessed 20 May 2016

[10] Moxa 2016 EDR-810 ext-link-type="uri" xlink: href="http://">http://www.moxa.com/product/EDR-810.htm">www.moxa.com/product/EDR-810.htm Accessed 20 May 2016

[11] S. Raimbault 2016 libmodbus ext-link-type="uri" xlink: href="http://libmodbus.org/">http://libmodbus.org/ Accessed 20 May 2016

[12] A. Sajjad et al 2015 A scalable and dynamic application-level secure communication framework for inter-cloud services Future Generation Computer Systems 48 19 27

[13] T. Skybakmoen 2014 Next generation firewall comparative analysis security value map ext-link-type="uri" xlink: href="https://www.nsslabs.com/research-advisory/security-value-maps/2014/ngfw-svm-2014/">https://www.nsslabs.com/research-advisory/security-value-maps/2014/ngfw-svm-2014/ Accessed 20 May 2016

[14] Wireshark Foundation 2016 Wireshark – Go deep ext-link-type="uri" xlink: href="http://www.wireshark.org/">http://www.wireshark.org/ Accessed 20 May 2016

[15] E. Yildirim et al 2008 Which network measurement tool is right for you? A multidimensional comparison study Proc. of the 9th IEEE/ACM Int. Conf. on Grid Computing (GRID) 266 275

Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65